The European Commission has published a draft Regulation in what will be a comprehensive reform of the EU’s data protection law. This is aimed at giving users more control over how their personal information is handled on the Internet, while also facilitating online commerce.
The proposals have arisen as a result of several public consultations and a strategy set out in 2010 to strengthen and streamline data protection rules in Europe. Currently, each EU member state has its own system in place based on the manner in which it implemented the 1995 Data Protection Directive. The new proposals will implement a single set of rules across the EU and will not require any further implementing measures by member states.
Key Changes Proposed:
- Substantial Fines – Increased powers will be given to national authorities to impose severe fines on companies in breach of the new laws, potentially up to 2% of global annual turnover
- Right To Be Forgotten – Internet users will be afforded a “right to be forgotten”, enabling them to ensure the deletion of their online data if there are no legitimate grounds for it being stored
- Data Portability – There will also be a right to data portability enabling users to transfer personal information freely to and from competing companies
- One Stop Shop – It is proposed to make companies operating in at least one EU member state (including companies based outside the EU) subject to these data protection obligations. The regulator in one home member state will oversee the application of the company’s data protection regime across the entire EU. These companies will need to take care to ensure that the appropriate member state is the regulator. After the thorough, practical and positive way the Irish Office of the Data Protection Commissioner (ODPC) reviewed the operations of Facebook in the EU (see our previous article here), Ireland will be a prime candidate in this regard
- Data Transfers – Businesses will be able to establish a single set of binding corporate rules (BCRs) to be approved by one regulator which will then apply across the EU
- Registration/Notification – It will no longer be necessary to register or to file data transfer contracts with the local regulator. The ODPC already generally exempts businesses from the need for registration and has never required data transfer contracts to be filed. However, many other EU countries impose such requirements, so overall this pro-business approach is very welcome.
The Commission has estimated that the removal of red tape and the expected increase in consumer confidence online will generate over €2 billion annually for EU companies. It is hoped this will encourage international organisations to set up in EU member states.
The proposed reforms will now be passed to the European Parliament for discussion. If approved, the draft Regulation contained in the proposal will become directly effective in all EU member states in approximately two years.
View the latest edition of IDEA, our Intellectual Property ezine here.
Contributed by David Cullen.
Back to Legal News
